Faced with constantly developing cyberattacks, Europe is imposing significant security requirements for companies and communities deemed to be important for the activity of their country. With fines and the indictment of managers.
Published
Updated
Reading time: 5 min
Hospital hacks, grounded planes, theft of banking data or personal data files: cyberattacks are constantly being reported and concern businesses, administrations and communities alike. And of course, individuals, whether they are employees, customers of companies or users of public services.
Based on the idea that attacks could not be prevented, France initiated with Germany in 2016 a European text, the NIS directive, which applied in Europe from 2018. It resulted in France designating as “operators of vital importance” (OIV) around 300 companies from 12 sectors of activity (telecommunications, financial services, food, energy, etc.).
These companies, whose list is intended to remain confidential, therefore have reinforced security obligations and are responsible to the National Agency for the Security of Information Systems (ANSSI). The State considers that their failure, in the event of a cyberattack, would have a cascading effect on the functioning of the country.
The NIS directive therefore required the management committees of these large companies to make technical investments and review their internal organisation in order to comply (or at least move towards it). This makes the protection systems more uniform across the European continent. But this has proven insufficient.
A company, especially the largest ones, is less and less a monolithic entity that works alone. It is increasingly connected with partners, subcontractors, distributors. The hacker, who chooses his target and his modus operandi, will seek to take advantage of these interconnections, which are all possible weak links in a production chain.
What is the point of securing the large company, if the average connected to it is much less protected. The European Union has therefore decided to generalize the security obligations established in the NIS directive. Thus, the NIS-2 directive will come into force on October 17. Some 15,000 French companies and local authorities are now subject to this new specification. The scope of activity has been extended to 18 sectors with additions such as health, digital service providers or municipalities with more than 30,000 inhabitants.
As it is a directive, Member States must adopt national transposition laws to adapt the general principles present in the European text to their own environment.
To date, only 3 out of 27 countries (Belgium, Croatia and Hungary) have published their transposition law. The process in France was interrupted by the dissolution of the National Assembly. It will have to be put back on the agenda of Parliament.
The National Agency for Information Systems Security has opened a dedicated site to inform and support the companies and local elected officials concerned so as not to wait for the French law to be finalized. Fines are already planned in the event of failure to comply with security obligations (from 7 to 10 million euros or from 1.4% to 2% of global turnover, depending on the entity concerned). In each case, the highest amount will be retained.
New fact: the personal responsibility of the managers can be engaged. The idea is not to leave the subject in the hands of the technicians alone but that the decision-making levels are directly involved in this requirement of digital security.